170 likes | 308 Views
HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS). Agenda. Role of CMS Security Rule Overview CMS’ HIPAA Security Strategy Providence Resolution Agreement Summary & Conclusion Q&A. Role of CMS.
E N D
HIPAA Security OverviewCenters for Medicare & Medicaid Services (CMS)
Agenda • Role of CMS • Security Rule Overview • CMS’ HIPAA Security Strategy • Providence Resolution Agreement • Summary & Conclusion • Q&A
Role of CMS • CMS has delegated authority to enforce the non-privacy provisions of the HIPAA regulations: • Transactions and Code Sets • Identifiers (NPI, EIN) • Security • CMS is responsible for HIPAA enforcement as well as: • Regulatory/Policy Interpretation • Outreach and Education • Guidance and FAQs • New Regulations (including other ehealth related issues e.g. eRx)
Security Rule Overview • Applies to Electronic Protected Health Information (EPHI) that a covered entity creates, receives, maintains, or transmits • Scalability/Flexibility • Based on organization size, complexity, technical capabilities and infrastructure, cost of security measures and potential security risks • Technologically Neutral • Describes “what” needs to be done vs. “how” it is to be done • Standards are required but the implementation specifications may be either required or addressable
CMS’ HIPAA Security Strategy • CMS takes a three-prong approach to HIPAA Security. The three prongs are: • Outreach & Education • Enforcement • Compliance Reviews
Outreach and Education Efforts • Federal and Non-Federal Collaboration • Develop/Disseminate Educational & Guidance Materials • Security Papers • Administrative, Physical and Technical Safeguards • Basics of Risk Analysis and Risk Management • Implementation for the Small Provider • Frequently Asked Questions • Security Compliance Review Checklist • Remote Use and Access Guidance • The materials can be found on the CMS Website at: http://www.cms.hhs.gov (under the link for Regulations and Guidance).
Outreach & Education - Remote Use & Access Guidance Rationale • Increased risk to protected health information • Associated with increased remote access to EPHI • Increase in workforce mobility • Increase in use of portable media storage devices • Recent security related incidents • Reported loss or theft of devices containing EPHI • Reported access to health information by unauthorized users
Outreach & Education - Highlights of Remote Access Guidance • Published December 28, 2006 • Reiterates requirements of the HIPAA Security Rule • Identifies strategies consistent with organizational capabilities (Scalable and Flexible) • Pertains to Access, Storage and Transmission of EPHI • Three categories of action highlighted: • Conducting Security Risk Assessment • Developing and Implementing Policies and Procedures • Implementing Mitigation Strategies
HIPAA Security Enforcement – Current Process • Review complaint to determine validity and scope • Notify “Filed Against Entity” (FAE) of complaint • Request specific documents from the FAE • Assess documents to determine if they: • Demonstrate compliance • Demonstrate the need for a Corrective Action Plan (CAP) • Monitor CAPs to completion • Close complaint upon demonstration of compliance • Issue closure correspondence to all parties
HIPAA Security Enforcement – Overlapping Complaints • CMS and the Office for Civil Rights (OCR) collaborate on cases that overlap the Security and Privacy Rules • Approximately 70% of the CMS Security cases are referrals from OCR • Majority of Security complaints – allegation of inappropriate access and risk of inappropriate disclosure
HIPAA Security Enforcement - Complaint Categories • Unauthorized access to EPHI • Employees or relatives accessing EPHI • Loss or theft of devices containing EPHI • Small volume of complaints; large volume of records • Insufficient access controls for systems containing EPHI • Shared passwords • Encryption • CMS has received 350 Security Rule complaints • 102 cases are open • 248 case have been resolved
Onsite HIPAA Security Compliance Reviews • Contracted with Price Waterhouse Coopers (PwC) for 10 reviews in 2008 • Reviews place emphasis on remote use and access issues • CMS publishes de-identified post-review information • Initial target: • Entities against whom a complaint has been filed and • Reported risk to security of large volume of records • The compliance reviews will be used as a tool to achieve voluntary compliance
Onsite HIPAA Security Compliance Reviews - Continued • Compliance reviews have revealed several key areas of vulnerability to include: • Lack of encryption for portable devices and media • Lack of verification of role-based access privileges • Reviews have resulted in CAPs that include: • Policies and procedures for remote use/access • Designation of internal security audit personnel • Compliance review cases are generally closed when CMS verifies completion of CAP
OIG Security Audit Initiative • Objective is to determine if certain covered entities have implemented measures in accordance with provisions of the HIPAA Security Rule • The recent OIG review of Piedmont Hospital highlighted issues related to: • Technical safeguard vulnerabilities for wireless communications • Vulnerabilities involving physical access to electronic information systems and the facilities • Administrative safeguard vulnerability related to business associate contracts
Providence Resolution Agreement – What Does it Mean? • Background: • Case involved 386,000 unencrypted patient records • $100,000 resolution amount paid to HHS • 3 year corrective action monitoring • Significance: • Landmark case – First resulting in monetary fine • Sets the stage for similar action for similar cases • Represents the evolution of CMS’ enforcement efforts
Summary & Conclusion • Security provides opportunity and obligation • CMS’ three-pronged approach: • Outreach and Education • Enforcement • Compliance Review • Consequences of non-compliance: • Loss of resources • Loss of time • Loss of TRUST